The Department of Justice announced the guilty plea of Nghia Hoang Pho, who worked at the National Security Agency (NSA) within the Tailored Access Operations (TAO) group as a software developer. On November 29 he signed a guilty plea where he admitted to having removed and retained U.S. government documents, some at the Top Secret – Special Compartmented Information (SCI) level, and had done so over a period of five years.
Five years of data hoarding
For five years Pho was squirreled away as a developer within the highly sensitive and secret NSA TAO group, a group which the Department of Justice (DOJ) describes as, “involved operations and intelligence collection to gather data from target or foreign automated information systems or networks and also involved actions taken to prevent, detect, and respond to unauthorized activity within Department of Defense information systems and computer networks, for the United States and its allies.” During his five years of employment Pho removed and retained this highly sensitive information in both hard copy and digital form in his Maryland residence.
In the court papers, the DOJ notes the security training provided to Pho including annual counterintelligence briefs and the fact that his access to SCI materials required additional security briefings. There was no doubt Pho knew that his unlawful retention of national security secrets at his residence was wrong.
How was Pho detected?
The plea agreement and information letter references a sealed supplement, which no doubt contains the specifics on what exactly was retained by Pho. That said, in early-October, there was a flurry of media play surrounding the fact that Russia-based Kaspersky had downloaded information from an NSA contractor’s laptop. The information which Kaspersky acquired appeared to be labeled as coming from the Equation Group, their synonym for NSA’s TAO. The Chicago Tribune picked up the lead, and identified the individual as being a Vietnamese national. It would appear the Chicago Tribune was partially correct.
Pho, now identified, apparently came to the attention of the NSA through the investigation into Russian targeting of the NSA. His laptop, having been compromised by Kaspersky, actually demonstrated to the NSA that they had a security leak, and the subsequent internal damage investigation may have identified Pho and his unique access to specific offensive malware.
NSA’s data is walking out the door
This is not the first instance of an NSA employee or contractor being arrested for the unlawful possession of classified materials in the last 18 months. Harold Martin managed to exfiltrate over 50 terabytes of information from NSA over the course of his tenure. Reality Winter stuffed a secret program brief, believed to be from this same NSA TAO, into her pantyhose and walked it out the door of her highly secured facility.
These continued lapses in security are clear evidence the NSA’s insider threat training program is due for an overhaul. The actions of these three besmirch the efforts of the many thousands who work within the NSA. All within the organization must rally and uptick attention to the insider threat and the need to self-police their environment.